On Fri, Mar 12, 2010 at 8:27 AM, Armaghan Saqib <[email protected]> wrote: > On Fri, Mar 12, 2010 at 11:31 AM, Chris Travers <[email protected]> > wrote: >>> I have recently seen a number of bug fix releases for LSMB 1.2 and was >>> just wondering how long it is planned to keep providing fixes for LSMB >>> 1.2 once 1.3 is released. >> >> Until PostgreSQL 8.0 is no longer supported. > > I am not familiar with postgres release/support cycle. Can somebody > give me the idea how long 8.0 is supported?
Another 1-2 years is likely. > > What I was thinking is that with all these fixes (and probably more in > future) 1.2 branch will become extremely stable and should be an ideal > choice for deployment at places where the feature rich future releases > (1.3, 2.0) are not needed. 1.3 honestly has more important security features. Sometimes those are relatively unimportant, but that's not often the case. Some security issues with 1.2 are only things which can be mitigated, not entirely fixed. With 1.3, we have the first release where it is practical to fix any security issue reported. > > And if I remember correctly 1.2 also works perfectly with 8.3 (8.4?) > so why it is tied to 8.0? 1.2 should work with any version of at least 8.0 or higher. However, the version has a number of issues which cannot be reasonably fixed during a production branch. These include XSRF vulnerabilities, and some HTML injection possibilities. While we have mitigated this risk to the extent possible, fixing it requires substantial rewrites of portions of the code. Furthermore, 1.2 has no real permissions enforcement. These are probably OK in some circumstances, but the situation breaks down quickly. 1.3 requires PostgreSQL 8.1 because we use features from that version to manage and enforce permissions. Once PostgreSQL 8.0 is fully retired, I think it will be hard to justify installing something which, as secure as we have made it all things considered, still falls short in a number of important ways. I would expect 2.0 (at least in a minimalist form) to be out before 1.2 is retired entirely. For folks who don't need lots of features, a minimalist installation of 2.0 may be the way to go. Best Wishes, Chris Travers ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Ledger-smb-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ledger-smb-users
